Todo description, entity codes, REST API extensions and Claude Code hardening (ST-509/511/512/513) (#2)

* docs(ST-511): add backlog entry for entity codes feature Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(ST-511): add createWithCodeRetry helper to handle P2002 race on auto codes Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(ST-511): retry on auto-code unique conflict in story and pbi create Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(ST-511): surface field errors for code and title in PBI dialog Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(ST-511): read create-state errors in Story dialog fieldError Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * docs(ST-512): add backlog entry for REST API code/description/implementation_plan extensions; mark ST-511 done Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * feat(ST-512): extend REST API with code, description and implementation_plan - GET /api/products returns code, description and definition_of_done - GET /api/products/:id/next-story returns story.code and per-task code + implementation_plan - GET /api/sprints/:id/tasks returns description, implementation_plan, story_code and derived per-task code - POST /api/todos accepts and returns optional description (max 2000) All changes are additive — existing clients ignore unknown keys. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * docs(ST-512): mark ST-512 as done Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * docs(ST-513): add backlog entry for API hardening for Claude Code Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * feat(ST-513): add task and story status mappers for API boundary Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * feat(ST-513): expose lowercase status on API and accept lowercase in PATCH /api/tasks Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * feat(ST-513): add metadata JSONB column to StoryLog Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * feat(ST-513): accept optional metadata in story log and switch validation errors to 422 Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * feat(ST-513): add GET /api/health endpoint with optional db ping Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * feat(ST-513): add GET /api/products/:id/claude-context bundled endpoint Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * docs(ST-513): add docs/API.md and link from CLAUDE.md specs table Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * docs(ST-513): mark ST-513 as done Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(ST-513): split 400 (malformed JSON) from 422 (validation), reject 'review' Codex review on PR #2: - P2.1: routes treated JSON parse failures as 422 instead of 400, breaking the contract in docs/API.md. Replace `request.json().catch(() => null)` with try/catch in 4 routes (tasks, reorder, todos, story-log) so a malformed body returns 400 and only well-formed-but-invalid bodies return 422. - P2.2: PATCH /api/tasks/:id accepted `status: "review"`, but the sprint task list UI does not render REVIEW (no label/color, the cycle helper falls back to TO_DO). Reject `review` at the API until the sprint UI is extended; document the subset in docs/API.md. Tests in __tests__/api updated for the new contract (29 assertions: zod-failures now expect 422, status payloads use lowercase API values, sprint-tasks mocks include the new story relation). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-26 23:40:54 +02:00 · 2026-04-26 23:40:54 +02:00 · 43a4294424
commit 43a4294424
parent a8adac127f
29 changed files with 809 additions and 116 deletions
--- a/tests/api/next-story.test.ts
+++ b/tests/api/next-story.test.ts
@ -92,7 +92,7 @@ describe('GET /api/products/:id/next-story', () => {
      acceptance_criteria: '- Gebruikersnaam verplicht',
    })
    expect(data.tasks).toHaveLength(2)
-    expect(data.tasks[0]).toMatchObject({ id: 'task-1', status: 'TO_DO' })
+    expect(data.tasks[0]).toMatchObject({ id: 'task-1', status: 'todo' })
  })

  it('queries story ordered by priority then sort_order', async () => {
--- a/tests/api/reorder.test.ts
+++ b/tests/api/reorder.test.ts
@ -55,32 +55,32 @@ describe('PATCH /api/stories/:id/tasks/reorder', () => {
  })

  // TC-RO-06 — body validation fires before story lookup
-  it('returns 400 when task_ids is an empty array', async () => {
+  it('returns 422 when task_ids is an empty array', async () => {
    const res = await patchReorder(...makeRequest({ task_ids: [] }))
-    expect(res.status).toBe(400)
+    expect(res.status).toBe(422)
    expect(mockPrisma.story.findFirst).not.toHaveBeenCalled()
  })

  // TC-RO-07
-  it('returns 400 when task_ids is not an array', async () => {
+  it('returns 422 when task_ids is not an array', async () => {
    const res = await patchReorder(...makeRequest({ task_ids: 'task-1' }))
-    expect(res.status).toBe(400)
+    expect(res.status).toBe(422)
    expect(mockPrisma.story.findFirst).not.toHaveBeenCalled()
  })

-  it('returns 400 when task_ids is missing entirely', async () => {
+  it('returns 422 when task_ids is missing entirely', async () => {
    const res = await patchReorder(...makeRequest({}))
-    expect(res.status).toBe(400)
+    expect(res.status).toBe(422)
  })

  // TC-RO-08
-  it('returns 400 when task_ids contains an ID not belonging to the story', async () => {
+  it('returns 422 when task_ids contains an ID not belonging to the story', async () => {
    mockPrisma.story.findFirst.mockResolvedValue(makeStory(['task-1', 'task-2']))

    const res = await patchReorder(...makeRequest({ task_ids: ['task-1', 'task-from-other-story'] }))
    const data = await res.json()

-    expect(res.status).toBe(400)
+    expect(res.status).toBe(422)
    expect(data.error).toContain('task-from-other-story')
  })

--- a/tests/api/security.test.ts
+++ b/tests/api/security.test.ts
@ -389,7 +389,7 @@ describe('PATCH /api/tasks/:id', () => {
    mockPrisma.task.update.mockResolvedValue({ id: 'task-1', status: 'DONE' })

    const res = await patchTask(
-      makePatch('http://localhost/api/tasks/task-1', { status: 'DONE' }),
+      makePatch('http://localhost/api/tasks/task-1', { status: 'done' }),
      routeCtx('task-1')
    )
    expect(res.status).toBe(200)
--- a/tests/api/sprint-tasks.test.ts
+++ b/tests/api/sprint-tasks.test.ts
@ -28,7 +28,20 @@ const mockAuth = authenticateApiRequest as ReturnType<typeof vi.fn>
 const SPRINT = { id: 'sprint-1', product_id: 'prod-1', status: 'ACTIVE' }

 function makeTask(n: number) {
-  return { id: `task-${n}`, title: `Task ${n}`, story_id: 'story-1', priority: 1, sort_order: n, status: 'TO_DO' }
+  return {
+    id: `task-${n}`,
+    title: `Task ${n}`,
+    description: null,
+    implementation_plan: null,
+    story_id: 'story-1',
+    priority: 1,
+    sort_order: n,
+    status: 'TO_DO',
+    story: {
+      code: 'ST-1',
+      tasks: [{ id: `task-${n}` }],
+    },
+  }
 }

 function makeRequest(sprintId = 'sprint-1', limit?: number): [Request, { params: Promise<{ id: string }> }] {
@ -124,7 +137,7 @@ describe('GET /api/sprints/:id/tasks', () => {
      story_id: 'story-1',
      priority: 1,
      sort_order: 1,
-      status: 'TO_DO',
+      status: 'todo',
    })
  })
 })
--- a/tests/api/story-log.test.ts
+++ b/tests/api/story-log.test.ts
@ -48,27 +48,27 @@ describe('POST /api/stories/:id/log', () => {
  })

  // TC-L-06
-  it('returns 400 when type field is missing', async () => {
+  it('returns 422 when type field is missing', async () => {
    const res = await postStoryLog(...makeRequest({ content: 'Missing type' }))
-    expect(res.status).toBe(400)
+    expect(res.status).toBe(422)
  })

  // TC-L-07
-  it('returns 400 for unknown type value', async () => {
+  it('returns 422 for unknown type value', async () => {
    const res = await postStoryLog(...makeRequest({ type: 'UNKNOWN', content: 'test' }))
-    expect(res.status).toBe(400)
+    expect(res.status).toBe(422)
  })

  describe('type: IMPLEMENTATION_PLAN', () => {
    // TC-L-08
-    it('returns 400 when content is missing', async () => {
+    it('returns 422 when content is missing', async () => {
      const res = await postStoryLog(...makeRequest({ type: 'IMPLEMENTATION_PLAN' }))
-      expect(res.status).toBe(400)
+      expect(res.status).toBe(422)
    })

-    it('returns 400 when content is empty string', async () => {
+    it('returns 422 when content is empty string', async () => {
      const res = await postStoryLog(...makeRequest({ type: 'IMPLEMENTATION_PLAN', content: '' }))
-      expect(res.status).toBe(400)
+      expect(res.status).toBe(422)
    })

    // TC-L-09
@ -95,17 +95,17 @@ describe('POST /api/stories/:id/log', () => {

  describe('type: TEST_RESULT', () => {
    // TC-L-10
-    it('returns 400 when status is missing', async () => {
+    it('returns 422 when status is missing', async () => {
      const res = await postStoryLog(...makeRequest({ type: 'TEST_RESULT', content: 'Tests done' }))
-      expect(res.status).toBe(400)
+      expect(res.status).toBe(422)
    })

    // TC-L-11
-    it('returns 400 for invalid status value', async () => {
+    it('returns 422 for invalid status value', async () => {
      const res = await postStoryLog(
        ...makeRequest({ type: 'TEST_RESULT', content: 'Tests done', status: 'UNKNOWN' })
      )
-      expect(res.status).toBe(400)
+      expect(res.status).toBe(422)
    })

    // TC-L-12
@ -142,19 +142,19 @@ describe('POST /api/stories/:id/log', () => {

  describe('type: COMMIT', () => {
    // TC-L-14
-    it('returns 400 when commit_hash is missing', async () => {
+    it('returns 422 when commit_hash is missing', async () => {
      const res = await postStoryLog(
        ...makeRequest({ type: 'COMMIT', content: 'feat: done', commit_message: 'feat: ST-001' })
      )
-      expect(res.status).toBe(400)
+      expect(res.status).toBe(422)
    })

    // TC-L-15
-    it('returns 400 when commit_message is missing', async () => {
+    it('returns 422 when commit_message is missing', async () => {
      const res = await postStoryLog(
        ...makeRequest({ type: 'COMMIT', content: 'feat: done', commit_hash: 'abc1234' })
      )
-      expect(res.status).toBe(400)
+      expect(res.status).toBe(422)
    })

    // TC-L-16
--- a/tests/api/tasks.test.ts
+++ b/tests/api/tasks.test.ts
@ -59,31 +59,31 @@ describe('PATCH /api/tasks/:id', () => {
  })

  // TC-T-06
-  it('returns 400 for invalid status value', async () => {
+  it('returns 422 for invalid status value', async () => {
    const res = await patchTask(...makeRequest({ status: 'INVALID' }))
-    expect(res.status).toBe(400)
+    expect(res.status).toBe(422)
  })

  // TC-T-07
-  it('returns 400 when body has no recognized fields', async () => {
+  it('returns 422 when body has no recognized fields', async () => {
    const res = await patchTask(...makeRequest({}))
-    expect(res.status).toBe(400)
+    expect(res.status).toBe(422)
  })

-  it('returns 400 when body has only unrecognized fields', async () => {
+  it('returns 422 when body has only unrecognized fields', async () => {
    const res = await patchTask(...makeRequest({ unknown_field: 'value' }))
-    expect(res.status).toBe(400)
+    expect(res.status).toBe(422)
  })

  // TC-T-08
  it('updates status only and returns 200 with updated task', async () => {
    mockPrisma.task.update.mockResolvedValue({ id: 'task-1', status: 'IN_PROGRESS', implementation_plan: null })

-    const res = await patchTask(...makeRequest({ status: 'IN_PROGRESS' }))
+    const res = await patchTask(...makeRequest({ status: 'in_progress' }))
    const data = await res.json()

    expect(res.status).toBe(200)
-    expect(data).toMatchObject({ id: 'task-1', status: 'IN_PROGRESS' })
+    expect(data).toMatchObject({ id: 'task-1', status: 'in_progress' })
    expect(mockPrisma.task.update).toHaveBeenCalledWith(
      expect.objectContaining({
        data: { status: 'IN_PROGRESS' },
@ -113,11 +113,11 @@ describe('PATCH /api/tasks/:id', () => {
    const plan = 'Full plan here.'
    mockPrisma.task.update.mockResolvedValue({ id: 'task-1', status: 'DONE', implementation_plan: plan })

-    const res = await patchTask(...makeRequest({ status: 'DONE', implementation_plan: plan }))
+    const res = await patchTask(...makeRequest({ status: 'done', implementation_plan: plan }))
    const data = await res.json()

    expect(res.status).toBe(200)
-    expect(data).toMatchObject({ status: 'DONE', implementation_plan: plan })
+    expect(data).toMatchObject({ status: 'done', implementation_plan: plan })
    expect(mockPrisma.task.update).toHaveBeenCalledWith(
      expect.objectContaining({
        data: { status: 'DONE', implementation_plan: plan },
@ -127,20 +127,32 @@ describe('PATCH /api/tasks/:id', () => {

  // TC-T-11
  it('allows update when user is a team member (not product owner)', async () => {
-    // task belongs to user-2's product, but user-1 is a member
    mockAuth.mockResolvedValue({ userId: 'user-1', isDemo: false })
    mockPrisma.task.findFirst.mockResolvedValue(makeTask({ userId: 'user-2', membersLength: 1 }))
    mockPrisma.task.update.mockResolvedValue({ id: 'task-1', status: 'DONE', implementation_plan: null })

-    const res = await patchTask(...makeRequest({ status: 'DONE' }))
+    const res = await patchTask(...makeRequest({ status: 'done' }))
    expect(res.status).toBe(200)
  })

-  it('all three valid status values are accepted', async () => {
-    for (const status of ['TO_DO', 'IN_PROGRESS', 'DONE'] as const) {
-      mockPrisma.task.update.mockResolvedValue({ id: 'task-1', status, implementation_plan: null })
-      const res = await patchTask(...makeRequest({ status }))
+  it('the three patchable status values are accepted (review is rejected)', async () => {
+    for (const apiStatus of ['todo', 'in_progress', 'done'] as const) {
+      const dbStatus = { todo: 'TO_DO', in_progress: 'IN_PROGRESS', done: 'DONE' }[apiStatus]
+      mockPrisma.task.update.mockResolvedValue({ id: 'task-1', status: dbStatus, implementation_plan: null })
+      const res = await patchTask(...makeRequest({ status: apiStatus }))
      expect(res.status).toBe(200)
    }
+    const reviewRes = await patchTask(...makeRequest({ status: 'review' }))
+    expect(reviewRes.status).toBe(422)
+  })
+
+  it('returns 400 for malformed JSON', async () => {
+    const req = new Request('http://localhost/api/tasks/task-1', {
+      method: 'PATCH',
+      headers: { Authorization: 'Bearer test-token', 'Content-Type': 'application/json' },
+      body: '{not json',
+    })
+    const res = await patchTask(req, { params: Promise.resolve({ id: 'task-1' }) })
+    expect(res.status).toBe(400)
  })
 })
--- a/tests/api/todos.test.ts
+++ b/tests/api/todos.test.ts
@ -45,26 +45,26 @@ describe('POST /api/todos', () => {
  })

  // TC-TD-04
-  it('returns 400 when title is missing', async () => {
+  it('returns 422 when title is missing', async () => {
    const res = await postTodo(makeRequest({ product_id: 'prod-1' }))
-    expect(res.status).toBe(400)
+    expect(res.status).toBe(422)
  })

  // TC-TD-05
-  it('returns 400 when title is empty string', async () => {
+  it('returns 422 when title is empty string', async () => {
    const res = await postTodo(makeRequest({ title: '', product_id: 'prod-1' }))
-    expect(res.status).toBe(400)
+    expect(res.status).toBe(422)
  })

-  it('returns 400 when product_id is missing', async () => {
+  it('returns 422 when product_id is missing', async () => {
    // product_id is required by the Zod schema (z.string().min(1))
    const res = await postTodo(makeRequest({ title: 'My todo' }))
-    expect(res.status).toBe(400)
+    expect(res.status).toBe(422)
  })

-  it('returns 400 when product_id is empty string', async () => {
+  it('returns 422 when product_id is empty string', async () => {
    const res = await postTodo(makeRequest({ title: 'My todo', product_id: '' }))
-    expect(res.status).toBe(400)
+    expect(res.status).toBe(422)
  })

  // TC-TD-07